[Plugin: WP Super Cache] strange page/url in newest cached pages list

Looks like this is a phishing attack – if someone is careless enough to click the link from the newly cached pages (doh!) then perhaps the url is crafted to get WordPress to execute the query encoded in the text page – the bit beginning eval(base64_decode(

I guess this has injected some code into a file somewhere.

Anyone know how I can decode the section in the above txt file to see what it did?

Sok

It’s not WP executing the query, it’s the PHP on your web server that executes it.

Start searching for modified PHP files. Best place to start is plugins and the active theme.

Thanks Ron,

Will start checking

Sok

Being a bit of a dimwit here Ron, but wouldn’t there have to be a .php extension in the URL for it to be executed directly by the server?

wouldn’t there have to be a .php extension in the URL for it to be executed directly by the server?

How do your pretty permalinks (or the home of the web site) end up being server by WP when there is no .php in the URL?

Your webserver is configured to direct requests to index.php (while keeping the request uri intact) and you may also have an .htaccess that rewrites the request to the same result.

As soon as the web server sees that the request is going to a .php file it hands the request over to PHP for processing. PHP then loads your index.php (or xml-rpc.php, etc.).

Haven’t found anything suspicious yet if anyone is still reading. Interestingly found a couple of entries in Apache access log showing a couple of Korean and Japanese IP addresses querying the site with HTTP 200 status codes